L9. Bastion-less Access: Systems Manager Session Manager & PrivateLink
Video generating
Check back soon for the video lesson on Bastion-less Access: Systems Manager Session Manager & PrivateLink
Eliminate the bastion host and the open SSH port with Session Manager, and eliminate the public internet path to AWS APIs with Gateway and Interface VPC endpoints.
Removing the Bastion Host
The traditional pattern for reaching a private EC2 instance involved opening inbound SSH (port 22) or RDP (port 3389), usually through a bastion or jump host that itself had to be patched, monitored, and locked down. AWS Systems Manager Session Manager removes that requirement entirely. It provides browser-based or CLI shell access to EC2 instances, and even to on-premises servers registered as managed instances, without opening any inbound port and without a bastion host in the architecture at all.
Session Manager has three requirements: the SSM Agent must be running on the target instance, the instance needs an IAM role with the appropriate SSM permissions attached, and the instance needs outbound connectivity to the Systems Manager service, either directly or through a VPC endpoint if it has no internet route. Nothing has to listen for inbound connections; the instance reaches out to the SSM service instead.
Built-In Auditability
Every session can be configured to log its full command input and output to S3, to CloudWatch Logs, or both, giving security teams a complete transcript of what an engineer did during a session. Session Manager also integrates with CloudTrail, recording who started a session, on which instance, and when it ended. This combination eliminates the attack surface of an open SSH port while also improving the audit trail compared to traditional SSH key-based access, which typically leaves no record of the commands actually run.
Keeping AWS API Calls Off the Public Internet
VPC endpoints solve a related problem: reaching AWS service APIs (S3, DynamoDB, Systems Manager, and dozens of others) without routing that traffic over the public internet or through a NAT gateway.
There are two types:
| Endpoint type | Cost | Services supported | How it appears in the VPC |
|---|---|---|---|
| Gateway endpoint | Free | S3 and DynamoDB only | A route table entry |
| Interface endpoint | Billed hourly + data | Most other AWS services | An ENI with a private IP |
PrivateLink Beyond AWS Services
PrivateLink is not limited to consuming AWS's own services. You can front your own application with a Network Load Balancer and publish it as an endpoint service, letting other VPCs, including ones in entirely different AWS accounts, connect to it privately through an Interface endpoint. None of that traffic touches the public internet, and unlike VPC peering, it does not require route table entries connecting the two VPCs to each other or CIDR ranges that avoid overlapping. Exam tip: If a question mentions eliminating inbound SSH/RDP while preserving auditability, think Session Manager. If it mentions eliminating the public internet path for AWS API calls, or exposing a service across accounts without peering, think VPC endpoints and PrivateLink.
- ✓Session Manager gives shell access to EC2 instances without opening inbound SSH/RDP ports and without a bastion host, using the SSM Agent and an IAM role
- ✓Every Session Manager session can be logged in full (commands and output) to S3 and/or CloudWatch Logs, and session start/stop is recorded in CloudTrail
- ✓Gateway VPC endpoints are free and only support S3 and DynamoDB
- ✓Interface VPC endpoints (built on AWS PrivateLink) support most other AWS services and appear as a private ENI inside your VPC, avoiding the public internet and NAT gateways entirely
- ✓PrivateLink can also expose your own NLB-fronted service privately to other VPCs or AWS accounts without VPC peering and without traffic touching the public internet
1. A security team wants to eliminate inbound SSH access to a fleet of EC2 instances while still allowing engineers to get a shell for troubleshooting. What should they implement?
2. Which AWS services can be reached using a Gateway VPC endpoint?
3. A company wants to let a partner's VPC in a different AWS account privately call an internal API hosted behind a Network Load Balancer, without VPC peering or exposing it to the internet. What should they use?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.